SaltStack has released a security update to Salt to address three critical vulnerabilities. We strongly recommend that you prioritize this update.

This is a security release. The following CVE’s were fixed as part of this release:

CVE DESCRIPTIONS

CVE-2020-16846: 

  • Impact: This CVE affects any users running the Salt API. An unauthenticated user with network access to the Salt API can use shell injections to run code on the Salt-API using the SSH client.
  • Description: A user could use shell injections with the Salt API using the SSH Client.  
  • Solution: Prevent shell injections in netapi SSH client
  • How to Mitigate: Install the CVE fix and ensure your Salt-API has been restarted
  • Severity Rating: 9.8 Critical.

CVE-2020-17490: 

  • Impact: This CVE affects any Minions or Masters that previously used the create_ca, create_csr, and create_self_signed_cert functions in the TLS module.
  • Description: When using the functions create_ca, create_csr, and create_self_signed_cert in the tls execution module, it would not ensure the key was created with the correct permissions. With the CVE fix, the keys are no longer created with world-readable permissions and use 600.
  • Solution: Prevent creating world-readable private keys with the tls execution module.
  • How to mitigate: Users will need to check to ensure 600 permissions are applied to any keys that were previously created by the TLS execution module. Going forward, if the CVE fix is applied while using the tls module, the created keys will have the correct permissions.
  • Severity Rating: 7.5 High.

CVE-2020-25592: 

  • Impact: Affects users running the Salt API. Salt-netapi improperly validates eauth credentials and tokens.
  • Description: Properly validate eauth credentials and tokens along with their Access Control Lists – ACLs. Prior to this change, eauth was not properly validated when calling Salt SSH via the salt-api. Any value for “eauth” or “token” would allow a user to bypass authentication and make calls to Salt SSH.  
  • Solution: When using the SSH client, an unauthenticated user can gain access to run commands against targets set in an Salt-SSH roster.
  • How to Mitigate: Install the patch provided below and restart your Salt-API 
  • Severity Rating: 9.8 Critical.

SECURITY UPDATE PACKAGES AND PATCHES

Packages

You can download the security packages from the repo (repo.saltstack.com)

The following versions will have a package available for download (please install the latest package for your installed version):

  • 3002.x 
  • 3001.x  
  • 3000.x 
  • 2019.x 

Patches

You can download the security patch from https://gitlab.com/saltstack/open/salt-patches

The following versions will have a patch available for download:

  • 3002
  • 3001.1, 3001.2
  • 3000.3, 3000.4
  • 2019.2.5, 2019.2.6
  • 2018.3.5
  • 2017.7.4, 2017.7.8
  • 2016.11.3, 2016.11.6, 2016.11.10
  • 2016.3.4, 2016.3.6, 2016.3.8
  • 2015.8.10, 2015.8.13

NOTE: If you are running an older version of Salt, please update to a version listed above before applying an available patch.

Attribution

CVE-2020-16846 and CVE-2020-17490 were discovered and submitted by KPC of Trend Micro Zero Day Initiative.

Note: this post was updated with CVE severity ratings on 16 Nov 2020.